Needs work
Project:
Views (for Drupal 7)
Version:
7.x-3.x-dev
Component:
comment data
Priority:
Major
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
18 Jul 2011 at 17:15 UTC
Updated:
7 Jan 2019 at 16:27 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
xjmHm, this is applicable to any node access module. I checked with dereine and merlinofchaos. The Views relationship handler might be able to take care of this automatically.
Comment #2
xjmI also added a note to the TAC troubleshooting handbook page.
Comment #3
dawehnerWhat about this?
Comment #4
dawehnerCommited to 7.x-3.x after some advice from davereid. There are modules which has two access tags: commentrss.
Comment #5
dawehnerThis patch didn't worked that well. Reverted
Comment #6
dawehnerThis time the patch should work better.
Comment #7
agentrickardPatch works as expected against Domain Access 7.x.3.
Comment #8
dawehnerThanks for the review!
Commited to 7.x-3.x
Comment #10
damien tournoud commentedThis broke a lot of things.
The intention is good, but you cannot do it this way: Drupal doesn't allow you to define which base table(s) a tag applies to. By default, only one table is going to ever be used per tag.
What we do in Entity Reference, and is a bit of a hack, is to alter the query ourselves giving it only the new tag and the base table:
Views is going to need to go this way if we want to properly do access control across relationships, or the current patch needs to be reverted (see #1323366: Query access fails in certain cases on post-RC1 Views for an example of the breakage the current implementation causes).
Comment #11
damien tournoud commentedHere is the same idea applied to Views.
I also moved the tagging of the base query from
views_plugin_query_default::execute()toview::build(), as the previous patch introduced a generic notion of query tags.Comment #12
bojanz commentedTested, works for Commerce.
@agentrickard
Could you check if Domain Access still works with the latest patch?
Comment #13
bojanz commentedRetitling and promoting, since I don't think Views 7.x-3.0-RC2 should go out without this fixed.
Comment #14
dawehnerMh, $this->query->options is part of the query_default object so using this in the main view class seems to be kind of hacky.
But sure it makes sense to add a add_tag function.
Comment #15
damien tournoud commentedThe views_plugin_query_default::add_tag() method has been added by the previous patch. views_handler_relationship using it makes it more general then just the default query plugin, isn't it?
Maybe we should add a stub implementation in views_plugin_query, and move the 'disable_sql_rewrite' check to the add_tag method itself?
Comment #16
dawehnerUps :) Sure it makes sense to move them up.
I'm not sure about it. Why shouldn't you be allowed to add some other kind of tags to the query, Can't they by used for something else then rewriting query, perhaps logging?
Comment #17
agentrickardFor the record, the current patch fails with Domain Access. The query alter tag is not applied.
Comment #18
dawehnerHere is a new patch which fixes the above issue and some code-style stuff.
@agentrickard
Can you describe how this fails with DA and how to reproduce the problem. Maybe we can help here.
Comment #19
dawehnerHere is a patch which should not fail anymore. $alias vs $base_table was the problem.
Comment #20
webchickAccording to dereine, this is a release blocker for a stable version of Views.
Comment #21
agentrickardThe previous version of the patch did not apply the {node_access} JOIN when used with the default "recent comments" view. This new patch does, albeit with an error.
Odd, actually. because this part of the patch seems to fail on that View:
$this->tags is an array that contains 'tag' and 'table_alias', but not 'base_table'.
Comment #22
dawehnerComment #23
dawehnerToo many patches
Comment #24
agentrickarddereine found an issue with build_join() that prevented the query from running properly. This version is working on Domain Access for both the 'recent comments' and 'tracker' views.
However, I get the same results with the following code for
execute_alter_hooks():So I wonder just what the more complex version is trying to do.
Comment #25
dawehnerPlease react on this issue, because it doesn't seem to be that this is a real blocker.
So maybe there will be another RC without this patch, sorry.
Comment #26
damien tournoud commented#24 looks ok to me.
Just to answer the question:
This version is meant to be able to apply several tags across more then just one relationship. Ie. it will apply the proper access control when you add a third relationship to the mix (for example:
node -> comment -> author of commentorcomment -> parent comment -> parent commentwill all work properly).Comment #27
damien tournoud commentedAnd yes, fixing this properly is definitely very high priority for me.
Comment #28
bojanz commentedOkay, I just diffed the latest patches. Only concerned about this part:
Will this work if the table gets joined in twice?
Comment #29
dawehnerWell at the end the only thing which will be set to the query is base_table + the access tag.
The patch uses $this->tags[] = array(...); so there will be a tag foreach relationship and so a query-altering foreach relationship.
So this seems to be fine.
Comment #30
damien tournoud commentedThis is a small test module for manual testing: it implements an access control strategy that:
Comment #31
dawehnerGreat thanks! Anyway as multiple people now have tested it commited to 7.x-3.x
A small step for access, but a big step for the release.
Comment #32
damien tournoud commentedSo the committed patch is definitely not correct. It issues a
'base_table'metadata that is not aliased, and as a consequence doesn't match a table of the query.Here is a the export of a view that I'm using to test this. If the patch was correct, I would result in the following query:
Comment #33
damien tournoud commentedThis fixed the mentioned view for me.
Comment #34
dawehnerOkay this one works for me as well
This was the actual bug fix, which made this working.
Comment #35
bojanz commentedI knew #28 smelled like trouble :P
Great job, guys!
Comment #36
dawehnerBased on @damz research reverted this patch. Damz told that this might be a bug of entity_reference/commerce
Comment #37
bojanz commentedSad panda :(
So what happened? Why was the whole patch rolled back?
Comment #38
rfayRelated: #1276450: Views results empty for unprivileged user when using Relationship: Content: Referenced Product, which I've set to 1.1 blocker for now - perhaps it just needs documentation. But I think a lot of people probably don't understand the issues involved and will have odd things happening to their production views.
Comment #39
dawehnerJust a random patch which allows to not add a access tag.
Comment #40
damien tournoud commented#39 is not going to work: core doesn't support picking which joined tables are affected by access control and which are not. It merely apply the access control to all the tables that have the same name as the 'base_table'.
Comment #41
dawehnerWell this patch would allow some people to get the same behavior as RC1.
Comment #42
dawehnerThis issue is now not about the initial problem anymore... see #36
Comment #43
MeDAN commentedWho can give me a clue how to solve my problem ?
#1354550: Problems when user don't have "Bypass content access control" permission
I see here 1000 patches and as I see in the discussion 99% of them don't work.
Comment #44
czigor commentedI have the same problem as in #1354550: Problems when user don't have "Bypass content access control" permission. I applied the patch #39, ticked the checkbox on the relationship settings form but as predicted in #40 it did not deprive the query of the node_access inner joins. They stay even if I comment these lines out from views_handler_relationship.inc (around line 147):
Comment #45
rcross commentedsurprised to see this is still an issue... seems like its the root of #1276450: Views results empty for unprivileged user when using Relationship: Content: Referenced Product
Comment #46
Katrina B commentedThis is still a problem in 7.x-3.3 as well; it'd be nice to see this problem fixed. I had to remove relationships from a View to make the View accessible to anonymous users -- I'd prefer not to have to do that.
Comment #47
Taxoman commentedComment #48
xjmComment #49
freelockAs posted on #1349080: node_access filters out accessible nodes when node is left joined, I spent some time in a debugger and tracked it down to a core bug in Node module, when any node_access is applied to the query.
#1409640: Taxonomy terms on node relationship potentially joins on wrong table looks like a different bug.
Comment #50
damienmckennaClosing this, it feels like the remaining problems are being handled in core via #1349080.
Comment #51
salvisSorry, but no, this is not fixed.
#1349080: node_access filters out accessible nodes when node is left joined is about showing more nodes, not less comments. Besides, #1349080-332: node_access filters out accessible nodes when node is left joined for D7 has been sitting there for 3 years now, with no hope of being committed, so this definitely remains an open issue with Views for D7.
Comment #52
damienmckenna@salvis: Thanks for clarifying that.
So I think what we need here is to follow a test-driven approach - start with writing some test coverage that shows the problem, then we can fix the root problem.